ESA PRIVACY NOTICE FOR ESA Earth Observation Framework (EOF) website

Released by: European Space Agency, as Data Controller

Addressed to: individuals whose personal data is collected and processed

Concerning collection and processing initiated by: ESA EOP Department

(hereinafter referred to as the “Department”)

The European Space Agency (herein the “Agency” or “ESA” or “We”) is committed to protect Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations

composed by

–       The Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
–       The Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
–       The Policy on Personal Data Protection (including its Annex “Governance Scheme of the Agency’s Personal Data Protection”) adopted by Director General of ESA on 1 March 2022 (“ESA PDP Policy”).

The EOF Website is a public portal leading to the collection and processing of personal data for various purposes, as described in the corresponding privacy notices, as follows:

(i)    This notice is intended to describe why and how Your personal data are collected and processed by, or on behalf of, ESA, as Data Controller, upon initiative of ESA EOP-G Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 10/09/2025. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.
(ii)   Other privacy notices may apply, as indicated on the EOF Website.

(1)   How can you contact the Data Protection Officer regarding this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int .

Specific information is available upon request from the DPO.

SEPARATE CONTROLLERS: To know the point of contact for personal data protection matters concerning separate Controllers (which are independently responsible for the collection and processing of personal data they decide upon), please refer to the privacy notices of these separate Controllers. Your queries regarding these matters will not be dealt with by ESA or its DPO.

(2)   What kind of personal data are collected and further processed?

We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include the following:

–       Identity Data: including name, surname, nationality;
–       Contact information: including, email address;
–       Professional information: including job title and company name;
–       Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser type and version, uniform resource identifier (URI) address, time zone setting and location, browser plug-in types and versions, ESA or other operating system and platform and other technology on the devices you are using – collected when you access our Website, our electronic portals and platforms which we offer or which we have agreed with you to use or made available to you where you have agreed to their use;
–       Other personal information You may provide, in particular content of exchanges with the Agency, for instance assistance data;
–       Other data, such as:

o    Your messages, date, and time the message was sent;
o    the content of the questions you have asked;
o    other data mentioned in Your messages;
o    feedback and interaction on the tools provided, support requests, etc.

(3)   How are Your personal data collected or further processed?

When ESA acts as a Data Controller, ESA collects and processes Your personal data via the EOF Website and via ESA systems, networks and devices that interconnect with the EOF Website.

In addition to the personal data We collect directly from You, we may, depending on Your situation, collect certain personal data about You indirectly including from third-parties.

(4)   Why are Your personal data collected and further processed?

ESA collects and processes Your personal data to enable ESA to fulfil its role, tasks and obligations for the legitimate purposes as set out in this privacy notice under point 5.1., e.g., for security and for fulfilment of a contractual legal agreement,

The collection and processing of personal data carried out by, or on behalf of, ESA in connection with the EOF Website will ensure adequate protection of personal data in accordance with the ESA’s positively assessed Personal Data Protection (PDP) Policy. The collection and processing of personal data will be limited to what is strictly necessary for the implementation of the processes related to the publication and usage of documentation relevant for the ESA Earth Observation Framework.

In any case, we do not process Your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.

Further information on the purpose of processing is provided by clicking on links associated with each section below, which correspond to various situations that may be relevant to You.

What is the purpose of processing. Your personal data?

IF YOU REQUEST, OR ARE PROVIDED ACCESS, TO YOUR ACCOUNT IN THE EOF Website Your personal data are collected and further processed for the following purposes: i.        to manage Your free-of-charge account (e.g. validation, authorization and creation) in the EOF Website (herein “Your account”); ii.        to manage access to Your account according to the user access policy; iii.        to exchange correspondence or any types of messages with You about the EOF Website functionalities available via Your Account; iv.        to inform and raise awareness in relation with the EOF Website functionalities and documents accessible via Your account; v.        to perform monitoring of your use via Your account to EOF Website; vi.        to analyse and monitor Your interactions with the EOF Website via Your account; vii.        to deal with your current and future queries or requests submitted via Your account or to otherwise engage with you; viii.        to analyse and monitor Your reactions to content available in the EOF Website via Your account, and initiatives; ix.        to analyse and monitor Your reactions to the usage of the chatbot available in the EOF Website via Your account; x.        to ensure measurement of various criteria in relation to the availability of Your account in EOF Website; xi.        to gather statistics with a view to enhancing the user experience of the EOF Website; xii.        to identify and track unauthorised access or any attempts to access Your account in the EOF Website without permission; to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

IF YOU FORMULATE A REQUEST OR A COMPLAINT IN THE EXERCISE OF YOUR RIGHTS In particular, Your personal data are collected and further processed for the following purposes: I.        to handle any questions or complaints you submit to ESA; II.        to respond to any request relating to your rights; III.        to defend ESA from possible liability claims that may arise.

IF YOU USE ESA IFORMATION AND COMMUNICATION TECHNOLOGY (IT) INFRASTRUCTURE, TOOLS AND SERVICES (operated by ESA or on behalf of ESA) IN RELATION TO THE EOF Website Your personal data may be collected and further processed for the following purposes: i.        to provide You access to the IT infrastructure, tools and services operated by or on behalf of ESA; ii.        to provide optimal data flow between target environments in an automated manner; iii.        to provide access and proper performance of the service to end-users; iv.        to provide support services and to ensure the management and maintenance of the service; v.        to manage provision of IT services such as identity and access management; incident prevention, vi.        management, reporting; vii.       to ensure data subject rights management; viii.      to ensure personal data quality and accuracy. ix.        to provide tools that facilitate transcription, evaluation, reporting or automated processing.

NOTA BENE:           If Your personal data processing is subject to one of the situations above, other sections may be relevant to You. You are thus invited to take knowledge of information provided under all the sections that are relevant to your case. In the description of the purpose, we made the choice to avoid duplication.

(5)   On what legal grounds do We collect and process Your data?

We process Your personal data in relation to the EOF Website pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to

You in additional notices, as appropriate.

What are the legal basis for processing Your personal data?

5.1 General basis for processing under ESA PDP Policy The processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, e.g., it is necessary: a)     for the performance of an activity carried out by the Agency within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment  of a European Space Agency and the European Space Agency for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for the Agency’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or b)     (b) compliance with a legal obligation to which the Agency is subject; or c)      (c) a task in the frame of the Agency’s cooperation with the competent authority of Member States, in order to facilitate the proper administration of justice; or d)     (d) for security; or e)     (e) for the performance of a contract concluded by the Agency within its purpose in relation with an activity carried out by the Agency in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures; f)      (f) for Your legitimate interest; or g)     (g) for purposes covered by Your Consent, where applicable, as it may be obtained from You under a separate document (e.g., Consent form).

(6)   In which circumstances may We transfer or provide access to Your personal data?

Where relevant, We may disclose Your personal data to recipients (e.g. ESA staff members, advisors, contractors), under a “need to know” principle, for carrying out the processing operations referred to in this notice. They are generally located in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).

When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g. Australia, United States, etc.), We will not proceed to the transfer of Your data unless You consented to it or unless the conditions set forth in ESA PDP framework (see Article 5.3 of ESA PDP Policy) are fulfilled. As appropriate, We take adequate safeguards (e.g. via appropriate contractual clauses) in order to obtain from third-party recipients a level of protection equivalent to that offered within the European Union and the European Economic Area.

In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, in particular the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not always be withdrawn.

You may be provided with information regarding the privacy notices of separate controllers of personal data either herein or elsewhere in Our communications to you.

In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including the ones having an investigative role or the ones involved in the concerned legal proceedings.

(7)   How long do We retain Your personal data for?

Your data are stored for the shortest time possible, taking into account the reasons why we need to process Your data, as well as all legal obligations applicable to the Agency. The Agency established time limits to erase or review the data stored. Retention periods applied by the Agency are proportionate to the purposes for which they were collected. Thus, the Agency will keep Your personal data for as long as necessary for the fulfilment of those purposes, which will be at least for the duration mentioned in the Table below. Your Personal Data is deleted upon expiry of the applicable retention period. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).

Data collected for Contractual Purposes and for Legitimate Interest Purposes is retained during the provision of the services plus a period of 5 years after the termination or withdrawal from the contract with the Processor, except when the detention of the data is necessary to respond or to file a legal action, upon request of the competent authorities or in compliance with the applicable laws;

(8)   How do We protect and safeguard Your personal data?

All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the Agency collects and processes personal data in conditions protecting confidentiality, integrity, and security of personal data.

In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.

(9)   What are Your rights as data subject and how can you exercise them?

Under conditions detailed in the ESA PDP Framework, You have:

–          the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be
–          disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein ;
–          the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int ;
–          the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int ;
–          the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of
–          procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident ESA-DPNR: 2518 occurred in relation with Your personal data, following a decision of ESA, you may send notify us thereof by email to dpo@esa.int .

Once a request to erase data is received, we will ensure that the data are deleted unless it can be processed on another legal ground, as mentioned in Article 5.1 above. If Your data was processed for several purposes, We do not process personal data for the part of the processing for which consent has been withdrawn.

For instance:

–          Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
–          If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.

When the processing of Your personal data are based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.

You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int .

You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.